Windows event logs

    Windows Event Logs are a detailed record of notifications stored by the Windows operating system. These logs are used for troubleshooting and monitoring the health and security of a system. Dynatrace OneAgent is using native Windows API to gather all log records. There are three main logs:

    • Application Logs: Contains events logged by applications or programs.
    • System Logs: Contains events logged by Windows system components.
    • Security Logs: Contains security-related events like login attempts and resource access.

    Windows Event Logs are automatically detected and can be ingested using the Dynatrace OneAgent. You can provide custom Event Logs by the Custom log source configuration.

    Configure Windows event logs ingestion

    There are multiple ways to configure your Windows event logs. To enable and customize their ingestion, follow the steps below:

    Enable Windows event log ingestion

    The following configuration allows Windows event logs to be ingested and ready for analysis. Follow the steps below:

    1. Go to Settings > Log Monitoring > Log ingest rules.

    2. Enable the [Built-in] Windows system, application, and security logs rule.

    If the [Built-in] Ingest all logs option is enabled, Windows event logs are automatically included, and no additional configuration is required to enable their ingestion.

    Create an ingest rule based on the Windows event logs attributes

    The steps below are required in case you want to customize log ingest rules when you need to collect only specific Windows event logs based on their attributes, rather than ingesting all available logs.

    1. Go to Settings > Log Monitoring > Log ingest rules.

    2. Select Add rule and provide the name for your configuration in the Rule name field.

    3. Make sure that the Include in storage button is turned on, so logs matching this configuration will be stored in Dynatrace.

    4. Select Add condition.

    5. From the Matcher attribute dropdown, and select one or more of the Windows log attributes.

    6. Input the matcher in the Value field, according to the chosen attribute, and select Add matcher.

    7. Select Save changes.

    Create an ingest rule based on the Windows event logs name

    The steps below are required in case you want to customize log ingest rules when you need to collect only specific Windows event logs based on their names, rather than ingesting all available logs.

    1. Go to Settings > Log Monitoring > Log ingest rules.

    2. Select Add rule and provide the name for your configuration in the Rule name field.

    3. Make sure that the Include in storage button is turned on, so logs matching this configuration will be stored in Dynatrace.

    4. Select Add condition.

    5. From the Matcher attribute dropdown, and select Log source.

    6. Input one or more Windows log matchers in the Value field (Windows Application Log, Windows Security Log, or Windows System Log), and select Add matcher.

    7. Select Save changes.

    Add a custom Windows event log source

    Custom Windows event log sources are useful when you need to ingest logs from custom application logs or logs created by third-party software. For example, if your organization has a custom application, you can use this feature to collect and analyze its own dedicated event logs in Dynatrace.

    To ingest custom Windows event logs, you can define a custom log source. Follow the steps below to configure and add a custom Windows event log source according to your requirements.

    1. Go to Settings > Log Monitoring > Custom log sources.

    2. Select Add custom log source and provide the name for your configuration in the Rule name field.

    3. optional Bind your rule to a Process group by selecting the process group name from the dropdown menu.

    4. Select the Windows Event log option for the custom log source path.

    5. Select Add custom log source path, and enter the full name for the event log source.

    6. Select Save changes.

    7. If required, add the corresponding ingest rule.

    Attributes selected in Windows event logs

    For Windows event logs, Log Monitoring detects the following fields and sends them as custom attributes:

    Semantic attribute name

    Configuration matcher name

    Event property

    Description

    winlog.keywords

    Windows log record keywords

    Event.RenderingInfo.Keywords

    A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).

    winlog.username

    Windows log record user name

    Event.System.Security.UserID

    The user name of the event provider that logged the event.

    winlog.level

    Event.RenderingInfo.Level

    The severity level defined in the event. This attribute is not available in the configuration matchers, but you can use the Log record level instead.

    winlog.eventid

    Windows log record event ID

    Event.System.EventID

    The identifier that the provider used to identify the event.

    winlog.provider

    Windows log record source

    Event.System.Provider.Name

    Identifies the provider that logged the event.

    winlog.task

    Windows log record task category

    Event.System.Task

    The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.

    winlog.opcode

    Windows log record operational code

    Event.RenderingInfo.Opcode

    The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged.